In the Linux kernel, the following vulnerability has been resolved:
f2fs: compress: fix to avoid use-after-free on dic
Call trace: _memcpy+0x128/0x250 f2fsreadmultipages+0x940/0xf7c f2fsmpagereadpages+0x5a8/0x624 f2fsreadahead+0x5c/0x110 pagecacheraunbounded+0x1b8/0x590 dosyncmmapreadahead+0x1dc/0x2e4 filemapfault+0x254/0xa8c f2fsfilemapfault+0x2c/0x104 _dofault+0x7c/0x238 dohandlemmfault+0x11bc/0x2d14 domemabort+0x3a8/0x1004 el0da+0x3c/0xa0 el0t64synchandler+0xc4/0xec el0t64_sync+0x1b4/0x1b8
In f2fsreadmultipages(), once f2fsdecompresscluster() was called if we hit cached page in compressinode's cache, dic may be released, it needs break the loop rather than continuing it, in order to avoid accessing invalid dic pointer.